Auditor Help: Security: SSH key generation

A free ssh key generator tool is available from a suite of ssh-enabled programs that can help create keys for the Ecora for Unix.

warning Warning: An important factor to consider before using such keys under Windows is the overall security of the Windows platform. Because the private key is simply stored on disk, in can be accessed and potentially misused by anyone who has access to the system. Consider user access, shares, and physical location.

A qualified version of the software and accompanying documentation can be obtained from Ecora's website. Please download the program puttygen-x86.exe. For your convenience, Ecora has provided a complete set of the documentation as The file Chapter8.html contains the section of the documentation specific to using public keys for SSH authentication.

Ecora does not endorse, resell, or support Putty or any other third-party software. Any SSH key generator can be used at the customer's discretion. These instructions use Putty as an example because it is widely available and freely distributed. Before using Putty or any other third party software be certain to read, understand and agree to all copyright and license agreements.

Putty GUI

This program provides a GUI for generating keys. After downloading the program puttygen-x86.exe, double-click the download to bring up the interface. Select the type of key you wish to generate from the Parameters section in the bottom of the GUI window.

Select the desired key to generate and then click Generate to begin creating the keys. Move your cursor around within the frame as indicated. The mouse input generates random information that is used as part of the encryption seed.

Following the key generation, click Save public key and save the public key to each target system into $HOME/.ssh/authorized_keys.

Note Note: Make sure ssh is well secured: files should be owned and readable by the user only (mode 600), with the $HOME/.ssh directory owned by the user with user permissions set to rwx for the user only (mode 700).

$HOME must correspond to the named user specified in the Windows registry. In the example below, the named user is tony.

The private key must be saved on the local windows system in C:\Program Files\Ecora\identity.

Use the Save private key button to save the private key to the specific filename location.

Note Note: Ecora does not currently support the use of a passphrase for private keys.

Add the default username (if desired) and private-key location to the Windows system registry. The easiest method is to create a text file with a .reg extension (my_ecora_keys.reg for example) with the information in the example below. Double-click on the file my_ecora_keys.reg to load the settings into the windows registry.

In the example below, the username used by default to connect to remote hosts is tony and the private key is stored in C:\Program Files\Ecora\identity.


---cut here---


"PublicKeyFile"="C:\\Program Files\\Ecora\\identity"

---cut here---

When Use SSH is selected, all communication is encrypted and the connection is established as the user specified in the Windows Registry. In this example, this would be the user tony.

Specify System using SSH

If there are reservations regarding the use of the root account on the target Unix systems, create an account that is a member of the group sys. This elevated privilege allows Ecora to collect detailed information on the network systems, such as disk partition information.

By using the registry settings with an elevated user account, the Server Specification information pop-up only requires the Hostname or IP address and the Use SSH to be specified.

For SSHv2:
If your server is OpenSSH and you plan to use these keys to access your account, append your to the file $HOME/.ssh/authorized_keys on the target system.

Helpful Hint Tip: In earlier versions of OpenSSH 2, the public key file might be called authorized_keys2. In modern versions, the same authorized_keys file is used for both SSH 1 and SSH 2 keys.

If your server is the commercial version of SSH2 from, save a public key into the $HOME/.ssh2/ on the target system. The file $HOME/.ssh2/authorization must contain the following entry:


The file containing authorized public keys can contain multiple keys. Each is tested against the client private key in attempts to authenticate the user. If the match fails, ssh presents a password prompt for authentication.

Warning Warning: If you elect to download and use the entire PuTTY suite of programs, the PuTTY suite of programs includes a terminal emulator and a number of other SSL-enabled programs. When the related registry keys have been loaded, it is important to realize that the default action for these programs is to use the root account with the authorization key for all connections. The NT/2000 system must be properly secured to prevent unauthorized access through the key-authentication method.

Resource Resource: The PLINK utility is utilized in SSH connections.